Update, Jan. 12, 2025: This story, originally published Jan. 10, now includes a warning about AI-driven attacks, as well as a statement from Google regarding the latest report that highlighted Gmail usage in the Solana key theft campaign.
As the world’s biggest free email platform, Gmail often finds itself in the crosshairs as far as hack attacks are concerned. A new report has revealed how that’s the case as a new threat campaign stealing private keys to drain Solana crypto wallets is using and abusing trust in Gmail at the heart of its attack strategy. Here’s what you need to know.
Hackers Abuse Trust In Gmail To Target Crypto Keys
Not one, but two threat actors are targeting holders of Solana crypto wallets using overlapping tactics and techniques to steal private keys. The common denominator, however, is that Gmail is being used as the relay to exfiltrate the key data used to drain the wallets. The Socket Threat Research Team published their findings in a Jan. 8 report titled “Gmail For Exfiltration: Malicious npm Packages Target Solana Private Keys and Drain Victims’ Wallets.”
Threat intelligence analyst Kirill Boychenko said that Socket had found malicious node package manager packages “designed to designed to exfiltrate Solana private keys via Gmail,” using code to intercept private keys from wallet interactions and “funnel them through Gmail’s SMTP servers.” The use, or more accurately abuse, of Gmail here is important according to Boychenko. Gmail is such a well-known and trusted email service that “these exfiltration attempts are less likely to be flagged by firewalls or endpoint detection systems,” the report said, because they treat smtp.gmail.com as being legitimate traffic.
A Google spokesperson provided me with the following statement:” We’re aware of this class of attack and have account hijacking protections that detect this type of behavior (the exfiltration then forwarding combination,) and secure the victim’s account by asking users to reauthenticate. These protections work regardless of the email platform a recipient is using.”
I have reached out to Solana for a statement.
AI And Gmail Remain Fundamentally Linked In The Attacker Mindset
The threat to Gmail and other email users from AI-driven attacks has been well covered in recent months, but AI poses a broader attack surface according to Dmitry Volkov, CEO of Group-IB. “Cybercriminals continue to use AI in advanced ways,” Volkov said, “like AI jailbreaks, generating malicious code, and even seeking technical advice for cyberattacks.” Importantly, AI enables them to create scams as we have already seen and Gmail users have already experienced, as well as gather intelligence and even launch mass or highly targeted attacks, “especially through social media and online reconnaissance,” Volkov warned “which are increasingly challenging our current defense strategies.” There seems little doubt, then, that Generative AI and large language models will continue to play a key role in Cybercrime-as-a-Service threats where attackers “automate the creation and deployment of cyber threats such as phishing campaigns, exploit kits, malware, and more,” Volkov said.
Such threats can be seen in the growth of what Volkov referred to as shapeshifting and hyper-scaling fraud. “Fraudsters are finding innovative ways to exploit AI for scam automation, marketing, and distribution,” Volkov said, “deepfake technology, social engineering ploys, automated chats, emails, and phone calls are now part of advanced scams to create even more convincing fraud platforms, online affiliate programs, and fabricated identities and credentials to deceive and defraud victims.” One component of these evolving campaigns, within this scam ecosystem, is the rise of the scam call center. “Once confined to less developed regions due to limited legislative power and lax enforcement,” Volkov warned, “these centers are forming an illegal global economy.“ Crime networks’ financial schemes now either involve individuals directly, through trafficking to scamming compounds, Volkov said, or indirectly, by luring people into fraudulent activities through fake job postings, pig butchering schemes, and other scam-related content.
Hackers Leveraged Google AI-Powered Summary And Gmail Key Exfiltration
The malicious npm packages were disguised as legitimate tools, using typo-squatting to appear like one hugely popular package with 93 million downloads and, according to Socket, around a million downloads every week. “@async-mutex/mutex is a typosquat of the popular npm package async-mutex, which provides a mutual exclusion mechanism (mutex) for asynchronous JavaScript operations,” the report said. A warning was also issued by the researchers regarding the Google AI-powered summary for the malicious package, which produced a “friendly-sounding preview” that obscured the hidden malware and left developers exposed to serious risk. “When AI-driven summaries overlook embedded threats,” Boychenko said, “they may guide even cautious users toward installing harmful dependencies, endangering individual projects and the broader software supply chain.”
The researchers said that, at the time of the report publication, the malicious packages remained live and available for download but they had petitioned for their removal. “We also reported two GitHub repositories,” Boychenko said, “used by the threat actor…to amplify the malware campaign and lend legitimacy to these malicious packages.” I have reached out to GitHub for a statement. The attack code can handle multiple private keys simultaneously, the report said, allowing an attacker to compromise multiple user accounts or environments at once, with the discovered keys being exfiltrated to hacker-controlled Gmail addresses, which I won’t publish here but are accessible in the report itself.
